JVM runtime class loading protection agent.（JVM类加载保护agent）

threedr3am

Last update: Sep 28, 2022

Related tags

Security GuanYu

Overview

GuanYu -> 关羽

JVM类加载监控agent，可配置黑名单，禁止恶意类加载（包括jsp webshell）

一、使用方法

1、打包编译

命令：

gradle :agent:shadowJar

或

./gradlew :agent:shadowJar

编译后得到 agent/build/libs/agent-xxx.jar

2、javaagent使用

在需要监控的应用启动时，加入以下参数用于指定当前agent程序：

-javaagent:/Users/threedr3am/git-project/GuanYu/agent/build/libs/agent-1.0-SNAPSHOT-all.jar="denyMethodsConfigFile=/Users/threedr3am/git-project/GuanYu/conf/deny.conf"

denyMethodsConfigFile为agent参数，更多参数请往下翻阅！

3、attach运行时使用

java -jar GuanYu.jar 23232 denyMethodsConfigFile=/tmp/deny.conf

23232 为需要attach的jvm进程号
denyMethodsConfigFile=/tmp/deny.conf 为黑名单方法配置文件路径配置项！

二、方法调用黑名单

agent参数：denyMethodsConfigFile

例：denyMethodsConfigFile=/Users/threedr3am/git-project/GuanYu/conf/deny.conf

内容：

java/lang/Runtime exec * sun/usagetracker/UsageTrackerClient
java/lang/ProcessBuilder start *

空格划分

第一项：需要拦截的类名
第二项：需要拦截的方法名（*表示全部拦截）
第三项：需要拦截的方法描述（*表示全部拦截）
第四项：白名单调用类（非必须）

Minecraft mod running on the TTCp engine to load modules written in JS at runtime - with runtime deobfuscation!

PolyFire ClickGUI opens with NUMROW_0 How to use: Run -jsmodules to initialize Navigate to your .minecraft folder Go to config/pf/modules/ Copy Exampl

Nov 18, 2022

Hdiv CE | Application Self-Protection

New to Hdiv? Check this out Hdiv: Application Self-Protection Hdiv is a leading provider of open source software for real-time, self-protected applica

Nov 14, 2022

Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Dec 29, 2022

SurvivalCore featuring SMP features like claims and land protection for Nukkit!

SurvivalCore SurvivalCore featuring Survival characterstics and claims and land protection for Nukkit! Features: Claims System : Use /claim or /c to c

Jan 4, 2022

Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process

-- This repository has been archived -- Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2. Thanks for sharing, com

Dec 23, 2021

JVM Explorer is a Java desktop application for browsing loaded class files inside locally running Java Virtual Machines.

JVM Explorer JVM Explorer is a Java desktop application for browsing loaded class files inside locally running Java Virtual Machines. Features Browse

Nov 30, 2022

Powerful and flexible library for loading, caching and displaying images on Android.

Universal Image Loader The great ancestor of modern image-loading libraries :) UIL aims to provide a powerful, flexible and highly customizable instru

Jan 2, 2023

An image loading and caching library for Android focused on smooth scrolling

Glide | View Glide's documentation | 简体中文文档 | Report an issue with Glide Glide is a fast and efficient open source media management and image loading

Dec 31, 2022

The loader for mods under Fabric. It provides mod loading facilities and useful abstractions for other mods to use, which is compatible with spigot now

Silk The loader for mods under Fabric. It provides mod loading facilities and useful abstractions for other mods to use, which is compatible with spig

Oct 1, 2022

Access paged data as a "stream" with async loading while maintaining order

DataStream What? DataStream is a simple piece of code to access paged data and interface it as if it's a single "list". It only keeps track of queued

Jan 19, 2022

lazy-language-loader improves loading times when changing your language by only reloading the language instead of all the game resources!

lazy-language-loader lazy-language-loader improves loading times when changing your language by only reloading the language instead of all the game re

Sep 7, 2022

Run Fabric Mods on Forge! It's an mod loading api, too (not implemented yet). No any releationship between Python library PILlow.

Pillow Mod Loader 中文 | English Quilt that runs on Forge Not implemented yet. Yes, you can believe it. This mod will make Quilt compatible with Forge.

Dec 20, 2022

Sematext Monitoring Agent

Sematext App Agent This repository contains the source code for Sematext App Agent. Sematext App Agent can be used to collect application metrics from

Sep 3, 2022

A Java agent that rewrites bytecode to instrument allocation sites

The Allocation Instrumenter is a Java agent written using the java.lang.instrument API and ASM. Each allocation in your Java program is instrumented;

Dec 19, 2022

Java Agent for Memory Measurements

Overview Jamm provides MemoryMeter, a Java agent for all Java versions to measure actual object memory use including JVM overhead. Use To use MemoryMe

Dec 28, 2022

A java agent to generate method mappings to use with the linux `perf` tool

perf-map-agent A java agent to generate /tmp/perf-pid.map files for just-in-time(JIT)-compiled methods for use with the Linux perf tools. Build Make

Jan 1, 2023

Kong agent for Apache SkyWalking

Apache SkyWalking Kong Agent SkyWalking Kong agent built on SkyWalking Nginx Lua agent to trace Kong API gateway for Apache SkyWalking APM. Usage Inst

Nov 20, 2022

The Java agent for Apache SkyWalking

Apache SkyWalking Java Agent SkyWalking-Java: The Java Agent for Apache SkyWalking, which provides the native tracing/metrics/logging abilities for Ja

Jan 5, 2023

This repository contains the IRPact agent-based modeling framework for innovation diffusion of sustainable product in private households. It has been developed within the SUSIC project at Leipzig University and the Institute for Applied Informatics by the project members.

IRPact IRPact is a framework for agent-based modelling of innovation diffusion of sustainable products in private households. It is written in the Jav

Dec 16, 2021

Comments

师傅，关于你另外二个项目的问题

下面这个项目你更新过后用maven编译失败了，用阿里云的源和官方源都编译不成功，经过国外VPS和二台电脑的测试都是一样的错误 https://github.com/threedr3am/ysoserial/

[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  11.175 s
[INFO] Finished at: 2021-03-25T16:06:12+08:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile
 (default-compile) on project ysoserial: Compilation failure: Compilation failure:
[ERROR] D:\yso-threedr3am\ysoserial\src\main\java\ysoserial\payloads\File
Upload1.java:[11,35] 错误: 找不到符号
[ERROR]   符号:   类 DeferredFileOutputStream
[ERROR]   位置: 程序包 org.apache.commons.io.output
[ERROR] D:\yso-threedr3am\ysoserial\src\main\java\ysoserial\payloads\File
Upload1.java:[12,35] 错误: 找不到符号
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the follo
wing articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

还有就是这个项目，目前支持了Shiro-721的FUZZ gadget可否添加Shiro-550的FUZZ

http://github.com/threedr3am/marshalsec

opened by M00nT0 2

attach运行时报错

环境:

Mac 11.4
JDK 8 1.8.0_275-b01

错误日志 - GuanYu

 ~/WorkSpace/reproduce/GuanYu     main  java -jar agent-mac.jar 11240 denyMethodsConfigFile=/tmp/deny.conf                                                                                                              17:30:20    100% 
Exception in thread "main" java.io.IOException: Premature EOF
	at sun.tools.attach.HotSpotVirtualMachine.readInt(HotSpotVirtualMachine.java:292)
	at sun.tools.attach.BsdVirtualMachine.execute(BsdVirtualMachine.java:183)
	at sun.tools.attach.HotSpotVirtualMachine.loadAgentLibrary(HotSpotVirtualMachine.java:58)
	at sun.tools.attach.HotSpotVirtualMachine.loadAgentLibrary(HotSpotVirtualMachine.java:79)
	at sun.tools.attach.HotSpotVirtualMachine.loadAgent(HotSpotVirtualMachine.java:103)
	at me.threedr3am.guanyu.agent.GuanYu.main(GuanYu.java:51)

错误日志 - springboot app


  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.4.2)

2021-07-29 17:23:52.393  INFO 9530 --- [           main] c.s.kaiming.KaimingShieldApplication     : Starting KaimingShieldApplication v0.0.1-SNAPSHOT using Java 1.8.0_275 on ShellSnipers-MacBook-Pro.local with PID 9530 (/Users/levonpro/WorkSpace/kaiming-demo/target/kaiming-0.0.1-SNAPSHOT.jar started by levonpro in /Users/levonpro/WorkSpace/kaiming-demo/target)
2021-07-29 17:23:52.396  INFO 9530 --- [           main] c.s.kaiming.KaimingShieldApplication     : No active profile set, falling back to default profiles: default
2021-07-29 17:23:53.111  INFO 9530 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
2021-07-29 17:23:53.127  INFO 9530 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2021-07-29 17:23:53.127  INFO 9530 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.41]
2021-07-29 17:23:53.190  INFO 9530 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2021-07-29 17:23:53.190  INFO 9530 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 759 ms
2021-07-29 17:23:53.363  INFO 9530 --- [           main] o.s.s.concurrent.ThreadPoolTaskExecutor  : Initializing ExecutorService 'applicationTaskExecutor'
2021-07-29 17:23:53.554  INFO 9530 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''
2021-07-29 17:23:53.567  INFO 9530 --- [           main] c.s.kaiming.KaimingShieldApplication     : Started KaimingShieldApplication in 1.496 seconds (JVM running for 1.862)
[GuanYu] 类加载监控Agent启动 ...
[GuanYu] 参数: denyMethodsConfigFile=/tmp/deny.conf
[GuanYu] 检测到新的类加载: me/threedr3am/guanyu/core/PluginManager
[GuanYu] 加载插件: class me.threedr3am.guanyu.plugin.BcelDenyPlugin
[GuanYu] 加载插件: class me.threedr3am.guanyu.plugin.BlackMethodDenyPlugin
[GuanYu] 加载插件数量: 2
[GuanYu] 读取方法调用黑名单配置文件 ...
java/lang/Runtime exec * sun/usagetracker/UsageTrackerClient
java/lang/ProcessBuilder start *
[GuanYu] retransform class: org.springframework.boot.SpringApplicationRunListeners$$Lambda$518/891093184
[GuanYu] retransform class: org.springframework.boot.SpringApplicationRunListeners$$Lambda$517/310623126
[GuanYu] retransform class: org.springframework.beans.CachedIntrospectionResults$$Lambda$516/1793799654
[GuanYu] retransform class: org.springframework.beans.CachedIntrospectionResults$$Lambda$515/691690486
[GuanYu] retransform class: org.springframework.beans.CachedIntrospectionResults$$Lambda$514/1118078504
[GuanYu] retransform class: org.springframework.boot.autoconfigure.condition.ConditionEvaluationReport$$Lambda$513/1427651360
[GuanYu] retransform class: org.springframework.boot.autoconfigure.condition.ConditionEvaluationReport$$Lambda$512/29183965
[GuanYu] retransform class: java.util.stream.Collectors$$Lambda$511/1740797075
...
...
[GuanYu] retransform class: java.lang.String
[GuanYu] retransform class: java.lang.CharSequence
[GuanYu] retransform class: java.lang.Comparable
[GuanYu] retransform class: java.io.Serializable
[GuanYu] retransform class: java.lang.Object
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x0000000110229439, pid=9530, tid=0x000000000000450b
#
# JRE version: OpenJDK Runtime Environment (8.0_275-b01) (build 1.8.0_275-b01)
# Java VM: OpenJDK 64-Bit Server VM (25.275-b01 mixed mode bsd-amd64 compressed oops)
# Problematic frame:
# V  [libjvm.dylib+0x52f439]  Symbol::as_C_string() const+0xd
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /Users/levonpro/WorkSpace/kaiming-demo/target/hs_err_pid9530.log
#
# If you would like to submit a bug report, please visit:
#   https://github.com/AdoptOpenJDK/openjdk-support/issues

opened by shellsniper 0

JVM runtime class loading protection agent.（JVM类加载保护agent）

Related tags

Overview

GuanYu -> 关羽

一、使用方法

1、打包编译

2、javaagent使用

3、attach运行时使用

二、方法调用黑名单

You might also like...

Comments

Owner

threedr3am

Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Disables JNDI lookup globally using Java agent instrumentation, mitigation for Log4Shell attacks.

Apply class remove process from ear/war/jar/zip archive

Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.

A mitigation for CVE-2021-44228 (log4shell) that works by patching the vulnerability at runtime. (Works with any vulnerable java software, tested with java 6 and newer)

Java agent that enables class reloading in a running JVM

Dynamic loading and compiling project based on JVM

Library for converting from one Java class to a dissimilar Java class with similar names based on the Bean convention

Reference implementation for MINAS (MultI-class learNing Algorithm for data Streams), an algorithm to address novelty detection in data streams multi-class problems.